Network access control (NAC) is defined as an approach to security that unifies various network endpoint security technologies - such as anti-virus, host intrusion prevention and vulnerability assessment techniques - as well as user or system authentication and network security enforcement systems.
Basically, NAC should prevent end systems from communicating on the network - until the 'health' of the end system is determined - because they could pose a security risk to critical processes and services.
End systems can be defined as traditional PCs, printers, IP phones, IP security cameras, etc.
Elements of end systems, such as security patch level, anti-virus/anti-malware presence, anti-virus/anti-malware signature updates, applications running, open ports, etc, can all be investigated to determine their overall health.
In an ideal world, the NAC should allow for the assessment of any type of end system connected to the network. This is becoming more important with the increasing diversity in the network-connected end systems in typical networks.
To have a comprehensive, proactive posture to network security, every end system connecting to the network (no matter what type of device) should be challenged by the NAC solution.
NAC should also integrate the automatic remediation process into the network (fixing non-compliant nodes before allowing access), allowing the network infrastructure elements - such as routers, switches and firewalls - to work together with back-end servers and end-user computing equipment to ensure the system is not contaminated before interoperability is facilitated.
NAC solutions must also allow network operators to define policies, such as the types of computers or roles of users permitted to access defined areas of the network, and enforce them in switches, routers, and network middleware.
One of the concept's biggest benefits is its ability to thwart 'zero-day' attacks by preventing laptops and desktop computers that lack anti-virus, patches, or host intrusion prevention software from accessing the network and placing the entire infrastructure at risk.
Reality check
In reality, many NAC implementations on the market provide only basic one-time access control, with some form of endpoint health check assessment.
Andy Robb is CTO at Duxbury Networking.
Against this backdrop, NAC has been touted as an 'overall security solution' by some vendors. But this is not true.
In reality, many NAC implementations on the market provide only basic one-time access control, with some form of endpoint health check assessment. This does not address the problem in enough depth.
What's more, many NAC solutions currently do not rely on an end-system authentication challenge as part of the access control process.
Authentication should be a critical foundation to any NAC solution and is required to achieve scalability, flexibility, visibility and strong enforcement requirements of network usage and security policies.
Once a user or a machine is authenticated and credentials have been verified, the authorisation process takes place, altering the configuration of the source network physical port or virtual flow to enable communications based on a set of policy rules.
NAC solutions need to be dynamic, persistent and ongoing. They should provide granular security policies which can be enforced at any time, and which understand the context of the communications between the endpoint and the IT infrastructure.
These solutions must also offer an open-architecture, standards-based approach to enable an organisation to use best-of-breed assessment technologies from industry-leading vendors.
Open philosophy
An open-architecture approach will also ensure that NAC solutions fully integrate with the authentication, authorisation and policy-enforcement capabilities of the existing network. This approach will not require the replacement of any installed infrastructure products.
Because the NAC philosophy will be part of an integral, secure network architecture, users will be assured of both pre-connect and post-connect security through proactive and reactive technologies - all integrated into one system.
Such a solution will ensure visibility and control of whom and what is allowed to connect to the network. Dangerous and non-compliant end systems will be isolated and kept from negatively impacting the business processes that the network supports.
It will also provide a comprehensive approach to the requirements of assessing any end system, authorising network usage based on a variety of important context (such as location, time of day, MAC address and user identity overrides) and enforcing security and business communication policies.
It will also provide an all-inclusive approach to advising out-of-compliance end-users and assisting them in safe and secure remediation, at the same time providing significant compliance data.
In summary, NAC should be seen as an essential component for any organisation's overall security posture, mitigating the risks associated with the threats found in today's IT environments.
Market demand is coalescing around some of the industry's more advanced NAC solutions so we can expect to see vendors refining - or acquiring - the technologies and integrating them into broader solutions in the near future.
* Andy Robb is CTO at Duxbury Networking.
Share